Command Execution Vulnerability in WordPress Affecting all Versions
A command execution vulnerability has been found in WordPress's handling of incoming cookie information which allows remote attackers to cause the program to execute arbitrary code if the PHP settings of register_globals has been set to On.
Already a perl and php exploit is available. It affects WordPress version 1.5.1.3 and before when register_globals is set to On. The information has been provided by Kartoffelguru.
WordPress developers are working on a fix.
Update: Add the line to your php.ini file (in WordPress root) for a fix:
php_flag register_globals off
Do it now.
Note: This may affect functioning of some plugins which rely on php global variables being available.
Filed under CMS Software, Headline News, Pro Blogging, Web, WordPress | 
| 
RSS 2.0 |
Trackback this Article
| 
Email this Article
You may also like to read |
August 13th, 2005 at 12:31 pm
[...] [Source: Simple Thoughts] [...]
August 13th, 2005 at 3:03 pm
Podz has posted a fix here
August 13th, 2005 at 3:05 pm
I’ll try again (!) - Podz has posted a fix here: http://www.tamba2.org.uk/T2/archives/2005/08/13/stop-your-blog-being-hacked/
August 13th, 2005 at 4:20 pm
[...] Foi anunciada, pelo site SecuriTeam, especializado em segurança de sistemas e aplicativos de computadores, uma vulnerabilidade presente na versão 1.5.3 que afeta todas as versões do WordPress, inclusive a mais recente, 1.5.3, e que deve ser corrigida imediatamente. [...]
August 13th, 2005 at 7:55 pm
Thanks Tom for the update.